> Is there a limit on how big the string can be for specifying the filter to > pcap in pcap_compile. My filter needs to exclude a bunch of ip addresses > (eg: tcpdump host not 1.1.1.1 and host not 2.2.2.2 ...upto 50 addresses)
There are definitely limits for the operating systems which do in-kernel filtering (FreeBSD in my case) - specifically, there is a limit to how many instructions the kernel will accept for the BPF interpreter. FreeBSD as of 4.9 has: /sys/net/bpf.h: #define BPF_MAXINSNS 512 I recently tested a bit and for a filter with 200 (src addr, dst port) pairs I had to increase the number of instructions to 2048. I seem to remember that 50 addresses (or in my case, 50 pairs) was no problem. > If no such limit (other than reasonable buffer size and sanity checks) is > it safe and efficient to add that many (50) IP addresses to the filter? Safe provided you can get the kernel to accept a sufficiently large filter. Efficient? Maybe - if you need to compare with 50 addresses I believe it will do a sequential comparison with address 1, address 2, etc. Steinar Haug, Nethelp consulting, [EMAIL PROTECTED] - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.